Re: ipchains help
On Thu, 14 Dec 2000, Minta Adrian wrote: /sbin/ipchains -A input -s !192.168.1.0/24 -d 0/0 110 -j DENY that above should work, although isn't perfect. A default policy of reject, or deny (for in, out, and forward) then selectively opening holes would be better. Also, do not forget tcpwrappers. (/etc/hosts.deny, hosts.allow). For example, if you are using qpopper, you could add this to hosts.deny in.qpopper: ALL and hosts.allow in.qpopper: 192.168.1.0/24 > Hello everybody, > > I run a very small office network connected to the Internet by a > Debian station. The Debian stores the mail and offer web access using > squid as a proxy server (no masquerading). > Inside my network I use private addresses 192.168.1.x . > > For the security reasons I want to block POP3 access from outside. > I tried something like: > > #ipchains -A input -p tcp -s ! 192.168.1.0/255.255.255.0 --dport 110 -j DENY > > ... but without any luck. > > Could somebody please give me a hint ? > > -- > Best regards, >Minta Adrian - YO3GIH phone: +401.683.66.52 > mailto:[EMAIL PROTECTED]http://www.csit-sun.pub.ro/~gygy/ > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > --- Check out our new message boards: http://board.2kservices.com --- J.R. Blain [EMAIL PROTECTED] http://www.2kservices.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Inherited ISP host configuration nightmare
On Fri, 18 Aug 2000, Gene Grimm wrote: The easiest thing I can think of is ipportfw. Why not just forward the mail or http ports to the other machine. (probably the http in this case). Maybe setup a simple ip chain on the mail ports to keep track of how much data goes through them, or even logging the ips of the users who go through. (cross reference with access logs and you should have an idea of which clients to have your support department contact when they aren't too busy). Puts a little extra load on the linux box, but I am sure it can handle it. > Upon reviewing host configurations created by my predecessor, I > inherited a nightmare. DNS was misconfigured from the start, causing > dial-up clients to use a SMTP/POP3 hostname of "domain.com" instead of > "mail.domain.com". We need "domain.com" to resolve to the NT web server > for "http://domain.com"; requests and to the Linux mail server for mail > client software. It will take a few months to migrate clients to a new > SMTP/POP3 host name. Does anyone know how to best handle this on the > Linux host in the interim? Many thanks in advance for any assistance. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > --- J.R. Blain [EMAIL PROTECTED] http://www.top100.org [EMAIL PROTECTED] http://www.2kservices.com
Re: Inherited ISP host configuration nightmare
On Fri, 18 Aug 2000, Gene Grimm wrote: The easiest thing I can think of is ipportfw. Why not just forward the mail or http ports to the other machine. (probably the http in this case). Maybe setup a simple ip chain on the mail ports to keep track of how much data goes through them, or even logging the ips of the users who go through. (cross reference with access logs and you should have an idea of which clients to have your support department contact when they aren't too busy). Puts a little extra load on the linux box, but I am sure it can handle it. > Upon reviewing host configurations created by my predecessor, I > inherited a nightmare. DNS was misconfigured from the start, causing > dial-up clients to use a SMTP/POP3 hostname of "domain.com" instead of > "mail.domain.com". We need "domain.com" to resolve to the NT web server > for "http://domain.com" requests and to the Linux mail server for mail > client software. It will take a few months to migrate clients to a new > SMTP/POP3 host name. Does anyone know how to best handle this on the > Linux host in the interim? Many thanks in advance for any assistance. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > --- J.R. Blain [EMAIL PROTECTED] http://www.top100.org [EMAIL PROTECTED] http://www.2kservices.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]